New Processor Vulnerability Discovered

Microsoft and Google Project Zero researchers announced today a new category of processor vulnerability known as a speculative execution side channel vulnerability, or Speculative Store Bypass, that is closely related to the Spectre Variant 1 vulnerability. Microsoft has also released a security advisory for the new vulnerability.

Impressively, AMD has already released a 5 page whitepaper on the vulnerability, as well as a post on their security updates page outlining that they will be providing updates back to the Bulldozer series of processors. Even more remarkable, is AMD stats that these updates are already in the hands of Microsoft, who is completing final testing and validation and will be released over the standard update process.

I can't help but just shake my head at yet another CPU vulnerability being discovered, when I still have not gotten a BIOS update for the first Spectre on my X99 system. I must give kudos to AMD though, already having the update going through validation and ready day of release, not just for Windows, the AMD page also notes that Linux distributors are creating the system updates as well. However on the Intel side, is deafening silence. Thanks to cageymaru for the story.

An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries. Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639. However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.

Microsoft and Google Project Zero researchers announced today a new category of processor vulnerability known as a speculative execution side channel vulnerability, or Speculative Store Bypass, that is closely related to the Spectre Variant 1 vulnerability. Microsoft has also released a security advisory for the new vulnerability.

Impressively, AMD has already released a 5 page whitepaper on the vulnerability, as well as a post on their security updates page outlining that they will be providing updates back to the Bulldozer series of processors. Even more remarkable, is AMD stats that these updates are already in the hands of Microsoft, who is completing final testing and validation and will be released over the standard update process.

I can't help but just shake my head at yet another CPU vulnerability being discovered, when I still have not gotten a BIOS update for the first Spectre on my X99 system. I must give kudos to AMD though, already having the update going through validation and ready day of release, not just for Windows, the AMD page also notes that Linux distributors are creating the system updates as well. However on the Intel side, is deafening silence. Thanks to cageymaru for the story.

An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries. Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639. However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.

Im due for an upgrade this year but I dont want to purchase a known broken CPU. Now intel has delayed their next consumer CPU architecture to 2019. Wonder if that new architecture just got delayed another 6 months due to this

You might be waiting years for that to happen, assuming more aren't found in the meantime. It takes a long time to develop new hardware from scratch and release it to the public.

Click to expand...

Intel, AMD and others have know about Meltdown and Spectre for almost a year know and probably understood the other flaws were going to be discovered. I think for consumers that don't need hardware currently, it'd be tough to do an upgrade with something that you know is flawed.

Intel, AMD and others have know about Meltdown and Spectre for almost a year know and probably understood the other flaws were going to be discovered. I think for consumers that don't need hardware currently, it'd be tough to do an upgrade with something that you know is flawed.

Click to expand...

There will always be flaws. If you buy a Meltdown and Spectre fixed CPU in the future, they'll find another CPU flaw a couple years after you buy it. It's a never ending battle.

So some researchers are finding vulnerabilities that no private citizen or even a non-government organization can ever exploit , and we all get punished by diminished performance due to patches
as if there aren't hundreds of other exploits in our system that those big security organizations / governments can use already.

Seems to be par for the course lately with this stuff. Also makes me wonder how many of their original engineers who may have spoken up about this back in the day are still with them and able to provide credible solutions. Considering how long it's still taking for the ones that came almost a year ago I'm guessing closer to none. Yet more reasons I'm looking forward to an AMD based rig in 2-4 years when I might need one.

For those wondering if there is an end to these, probably not. Even after countless patches and now deprecation, new Flash exploits keep appearing. Anyone expect an end to javascript hacks? Or folks finding new ways to exploit https traffic? This is the world of tech. It has flaws. Bad folk exploit the flaws for personal gain. All most of us can do is perform a risk of breach, cost of breach, cost of mitigation analysis and react accordingly.

Given the low cost of a basic machine these days, might be worth it to pick one up for use as your banking, on line ordering, email, etc machine and patch the crap out of it and accept the performance losses.

Skip the performance harming patches on your retina detaching performance gaming rig and accept that you might have to do the occasional wipe and reinstall.

It is a shame these exploits doesn't translate to cheaper 2nd hand Xeon CPUs yet. I would love to pick up a 22 core for $100.

Click to expand...

I would wait until someone makes a virus or malware that exploits this and then steals tons of data, cause we all know these "fixes" just fix the demo that shows the exploit and not the exploit itself. Best yet, Intel rushes a fix and it ends up breaking all the servers that applied it for over a week. We'll call it the black internet week. I guarantee you those Xeon chips will be $100 or less after that situation.

So some researchers are finding vulnerabilities that no private citizen or even a non-government organization can ever exploit , and we all get punished by diminished performance due to patches
as if there aren't hundreds of other exploits in our system that those big security organizations / governments can use already.

Click to expand...

I agree, we're not running banking systems in our homes. These performance impacting patches should be strictly op-in. I prefer to keep whatever little performance I can afford. I'm not a target for corporate espionage, and I make backups. And honestly what are we talking about? If someone wants it bad enough they'll just get physical access or kidnap you and torture you for the password.

This sounds like another of the Spectre variants they were going to release earlier in the month. Great, I have a fairly secure OS on my desktop, but flawed hardware (Win10 & i3 4330), but my smartphone has clean hardware but an insecure OS (Snapdragon 425, 4x A53s & Android 7).

This is exactly why I decided not to upgrade this year, keep my i7 4790K with my 2 1080 Ti's and wait it out till Intel releases a whole new architecture without these faults.

While AMD IS Appealing, my personal history with AMD Based CPU's keeps me from EVER going back. I had major issues with my AMD Athlon 2400+ and would NEVER switch back.

Burned that bridge a long time ago.

Click to expand...

With a late model 4790K, I don't blame you for holding out a while longer. Nothing new is really compelling.

However, I think it's time to drop the Thoroughbread grudge. AMD has come a long way, but more importantly, so have motherboard manufacturers. All the problems with the Athlons were related to abysmal knockoff components on the motherboard.

With a late model 4790K, I don't blame you for holding out a while longer. Nothing new is really compelling.

However, I think it's time to drop the Thoroughbread grudge. AMD has come a long way, but more importantly, so have motherboard manufacturers. All the problems with the Athlons were related to abysmal knockoff components on the motherboard.

Click to expand...

Agreed... The 2400+ was a gem during that time period. Unfortunately, there where several ways to make them look awful. Bad motherboard designs and components where way too common, the chipset support was less than inspiring, many badly made cooling solutions and there was an abundance of garbage power supplies. Get anyone of the three and it was a nightmare.

This is exactly why I decided not to upgrade this year, keep my i7 4790K with my 2 1080 Ti's and wait it out till Intel releases a whole new architecture without these faults.

While AMD IS Appealing, my personal history with AMD Based CPU's keeps me from EVER going back. I had major issues with my AMD Athlon 2400+ and would NEVER switch back.

Burned that bridge a long time ago.

Click to expand...

I was actually impressed with the Ryzen 1400 so I felt fine getting the 2700x for my main rig (replacing a 5960x, mobo started acting up). It’s my first AMD CPU since the K6-2 350Mhz and it’s been rock solid.

I stayed away from AMD for the reasons you mentioned. Seems like they have that ironed out with Zen+.

I understand the mentality though. I had 3/3 EVGA 1080ti Hybrids shit the bed. I won’t be buying from EVGA again. Hybrids anyways. I love their PSUs with the single 12V rails.